Add or Replace a Signed Certificate for the Conductor UI

Versions
v2.2.8 and later Conductors

By default, the Conductor comes with a Tempered factory-installed certificate. You can add your own custom certificate to prevent the “Your connection is not private” messages received on some browsers. A custom signed certificate is used by the Conductor for the SSL connection.

Important: For Conductors in HA environments, both Conductors must not be HA paired to upload and install custom certificates. Follow the steps for each Conductor. Once complete, HA pair the Conductors.

Note: When you are in the process of replacing a certificate, the Conductor uses the existing certificate until the replacement is complete.

Before you Begin

Before you can upload or replace a signed certificate, you need to have a CA certificate chain installed so that the Conductor can verify the certificates. For more information, see Install a Custom CA Certificate Chain.

Step 1: Request and copy a CSR (Certificate Signing Request) for the Conductor

Once you’ve installed CA certificates (see Install a Custom CA Certificate Chain), you can generate a Certificate Signing Request (CSR) to create a certificate (for example, with a PKI Registration Authority):

  1. In Conductor Settings, under Airwall Conductor Identity, click Actions, and then select Create certificate or Replace certificate.
    Airwall Conductor Identity settings
  2. Under Distinguished Name, enter the Identity (Distinguished Name) of the Conductor. If you’re replacing a certificate, you can leave the Distinguished name the same. For example, /C=US/O=Tempered/OU=Dev/CN=cond.example.com
    Conductor Distinguished name dialog
  3. Under CSR, select either Copy or Download to generate and get the CSR you need to get a signed certificate. (In versions 2.2.5 and earlier, select and copy the CSR.)
  4. Select Save.

Step 2: Get a signed certificate

Use the CSR to request a new signed certificate. You can generate a new signed certificate using your organization’s own process, or with a public PKI Registration Authority.

  1. Submit the Certificate Signing Request (CSR) you copied or downloaded to your Enterprise PKI Registration Authority. They use it to create your certificates.
  2. When you get the certificates, download or copy them.

Step 3: Upload the signed certificate to the Conductor

  1. In Conductor Settings, under General settings, scroll down to Airwall Conductor Identity, and select Edit.
  2. Under Signed Certificate, paste the custom-CA signed certificate to install the certificate on the Conductor.
    Create Airwall Conductor certificate dialog
  3. Select Save.
  4. Refresh your browser window to apply the new certificate.